Today I am finally doing an official release of
unrarhp, a Unix command line
proof-of-concept brute forcer to recover the passwords of RAR archives encrypted with
the RAR 3.x "-hp" option. As far as I know this is the only RAR "-hp" brute
forcer that is open source and free. I wrote this cracker back in 2004 for a
computer security contest organized at the Epitech french computer science school. I had
to study the source code of the Unix version of "unrar", because at the time,
the format of encrypted archives was not documented (not sure if it is today).
There are 2 different ways to encrypt a RAR archive; the rar CLI tool exposes
them through 2 options:

-p option, which encrypts only the content of the files in the
archive, while file metadata (filenames...) are not encrypted

-hp option, which encrypts the internal block headers that contain
file metadata, as well as the content of the files

I have never looked at the -p encryption, unrarhp works against archives
encrypted with -hp only, but the 2 encryption mechanisms are definitely based on
the same concepts. When encrypting a RAR archive with "-hp", a
random 64-bit salt is generated by RAR, the UCS-2 encoded password is
concatenated to the salt, the salt-password pair is hashed with 262144 rounds of
a function based on SHA-1, which eventually outputs a 128-bit IV and 128-bit
key used to AES-encrypt data blocks in ECB mode.

As a side remark, note that the fact that AES is used in ECB mode, and the
fact that the same salt is reused for each file in the archive are serious
cryptographic mistakes. This may open some yet undiscovered attack paths...

Unrarhp verifies passwords by using a trick that I am not sure any
other RAR brute forcer uses: encrypted RAR archives seem to always contain
an "end-of-archive" block that is the constant 7-byte plaintext blob
"c4 3d 7b 00 40 07 00", so unrarhp simply compares the decrypted data
with this known plaintext . The code is completely unoptimized and re-uses
the SHA-1 and AES implementation of RAR, but it works. I
first posted the
code on the BarsWF forum to help others, and I believe IvanG (author of
rargpu) wrote his brute
forcer with the help of my code.

For more information and how to use the brute forcer, see the README file
in the unrarhp tarball.